[Owasp_framework_security_project] Kicking off the project

Jim Manico jim.manico at owasp.org
Wed Jan 22 22:51:49 UTC 2014


I’m a big fan of your work on the periodic table. We have got to get past
“lists” like OWASP Top 10, WASC TCv2, and CWE-25. Don’t get me wrong these
were a good start but we need more in terms of giving folks surgical
defense guidance. Most of these docs give high level defensive advice that
often leaves developers confused.

The OWASP periodic table provides guidance for each vulnerability class in
terms of WHERE to “control” that risk. These include standards, perimeter,
generic framework, custom frameworks and custom code. The detail in the
project so far is substantial.

There is perfect synergy between the periodic table and the framework
project. In fact, I bet they can be merged into the same project since they
are essentially trying to do the same thing. The framework project is
essentially a subset of the periodic table project.

Anyhow, good work Jerry and James. I’d love to see more synergy here as
James suggests.



*From:* James Landis [mailto:james.landis at owasp.org]
*Sent:* Friday, January 17, 2014 2:25 PM
*To:* Jerry Hoff
*Cc:* Michael Coates; owasp_framework_security_project at lists.owasp.org; Jim
*Subject:* Re: [Owasp_framework_security_project] Kicking off the project

Awesome! I'm super excited to see this project rolling!

Manico and I and a few others started putting together some thoughts on
this a few years ago as well, somewhat patterned after WAFEC:


A few points of discussion to consider (we can spin these off into
different threads if necessary):

1. Perhaps some introductions of the working group members would be in
order? :)

2. I think one of the key insights we had a few years ago is that a
framework falls somewhere on a continuum between "vulnerable out of the
box" and "developer can't introduce the vuln even if they tried". That is a
slightly different approach than the current one in the spreadsheet, though
some of this is captured in column B ("present/not present/in progress")
and column D ("en/disabled by default"). Punishment or reward for reaching
either of these two additional and extreme ends of the spectrum might be
valuable to capture in the scoring function.

3. The continuum in #1 sort of suggests that "vulnerabilities" are used
instead of "protections", though there does exist a discrete mapping
between the two and it might not be too hard to create different "views" of
the data for users who'd want to see how the frameworks stack up through
one lens or the other. My personal guess is that most groups that would be
making risk decisions about frameworks (product managers, engineering
managers, security teams) would be more comfortable with a
vulnerability-based view as opposed to a protection-based view, but of
course the only way to determine how well a framework does with a
vulnerability class is to measure the protections it has in place to
eliminate that vulnerability. So this probably is a matter of presentation
much more than it is a matter of measurement methodology.

4. If this group agrees with how the OWASP Periodic Table divides up the
protections between perimeter/platform, frameworks, browser/standards, and
custom code solutions, we can just go right down the list at
make sure all of the framework solution requirements documented there
are measured by the Framework Security project. Naturally, I'd want the
Periodic Table to be informed by any insights we gain on this project, as


On Wed, Jan 15, 2014 at 5:18 AM, Jerry Hoff <jerry at owasp.org> wrote:

Hi team,

I worked on a similar project a few years ago - it's probably out of date
but we might be able to get some good data out of it and add to the new



Jerry Hoff

jerry at owasp.org

On Jan 15, 2014, at 7:44 AM, Michael Coates <michael.coates at owasp.org>


Thanks to those that are helping out on the Django security controls. We're
starting to make some great progress!

 I also posted in the django developer growth to see if we can get traction
there (https://groups.google.com/forum/#!topic/django-developers/uc01Z2DZHh4).
We've got a handful of views so far.

Michael Coates

On Tue, Jan 14, 2014 at 8:41 AM, Michael Coates <michael.coates at owasp.org>


It's time for us to get moving on this project. After introducing the
project I hit a ton of work and unfortunately didn't get as much time on
this item.

Starting Things Up

The project will evolve as we gather information. For now let's start in a
google doc - it's easy to edit and easy for people to contribute. We also
need a framework to start with. I recommend we start with Django.

Here is the google spreadsheet. Please start contributing with any info you


Ways to help:

1. Add security controls to the list

2. Fill out the table with information

3. Email the list with ideas on how we should continue to evolve the project


Michael Coates

Owasp_framework_security_project mailing list
Owasp_framework_security_project at lists.owasp.org

Owasp_framework_security_project mailing list
Owasp_framework_security_project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_framework_security_project/attachments/20140122/3edfd069/attachment.html>

More information about the Owasp_framework_security_project mailing list